The other day it was announced that Citi Bank was once again victim to data theft when it was reported that over 200,000 credit card holders may have had their personally identifiable information exposed in an unauthorized manner to hackers. This latest breach is just another recurring role in the endless saga of “bank gets hacked, and does little to prevent future occurrences.” At some point, this form of naivety has to move into the category of what most plaintiff attorney’s would call gross negligence. The financial industry is like a dog chasing its tail when it comes to addressing the security of its information infrastructure. Here’s a hint financial sector, politicians, and FDIC: IT’S NOT THE TECHNOLOGY!

The New York Times quoted the FDIC Chairwoman, Sheila C. Bair, called on Banks to “strengthen” their authentication protocols when customers login to their accounts online. However, is this strategy, or one’s similarly adopted around enhancement of technology, going to prevent future data breaches from occurring? Where are the incentives for financial institutions to start caring about how they are securing their mission-critical data? The fact is, banks have very little incentive to really care about how they secure personal information. The costs associated with creating a new account, provide credit-monitoring reports, and other preventative maintenance, is still so marginal that they would rather take that risk, then implement some sort of data governance policy internally.

Citi has implemented enhanced procedures to prevent a recurrence of this type of event.”

I hold bank accounts with both Wall Street and Main Street financial institutions, and what I find most striking about the two when compared side-by-side is their outward appearance. The Wall Street institution has cages, cameras, combinations, and other authentication to show its customers how it “secures” their money, but the Main Street bank has none of that. To my knowledge, my money is just as secure in the vault located on Main Street as it is on Wall Street, and similarly, the employees at the Main Street bank seem just as happy as the employees on Wall Street, yet they don’t go to work in environments where they are constantly surrounded by bullet-proof cages or cameras.

By analogy, is it possible that securing mission-critical data is more about internal/external processes and people, than it is about technological enhancements and capabilities. Citi Bank, et al, continue to pour massive amounts of capital into “enhanced procedures” to prevent future occurrences of data loss from happening, and yet very little is being done to stem the tide of loss. At the end of the day, it’s the people who have to shut the vaults, spin the dials, and lock the doors in order to prevent robbers from taking money out of the bank in the middle of the night. In the world of cyber-security, size doesn’t really matter when it comes to procedural “enhancements,” and bigger sometimes isn’t always better.